The SEI helps advance software engineering principles and practices and serves as a national resource in software engineering, computer security, and process improvement. The SEI works closely with defense and government organizations, industry, and academia to continually improve software-intensive systems. Its core purpose is to help organizations improve their software engineering capabilities and develop or acquire the right software, defect free, within budget and on time, every time.

Rapid Validation of Android Apps

One problem common to tactical environments is that software does not keep pace with changing missions. This is partly due to the time needed to develop new software capabilities and partly due to the time needed to ensure that the new software conforms to the security requirements of networks in tactical environments. The SEI's work on user-configured situational awareness mashups helps address the first problem. And the SEI's work on rapid validation of Android apps helps address the second problem.

Increased variability and tempo of missions leads to demands to field new apps quickly, which presents unique challenges to verification and validation of these apps. Traditional techniques require complicated development practices, involve large teams of testers, and can create bottlenecks in getting systems ready for deployment.

The SEI is developing an automated solution to help with rapid validation and verification of mobile apps, focusing on Android apps. The solution leverages existing expertise in developing coding rules for Java and in developing static analysis and software model-checking tools for C and Java. The coding rules will capture correct interaction with the network such that conformance to the rules improves confidence in the safe and secure operation of the app. We will develop a static analysis framework to check for violations of the coding rules, use our expertise to decide which rules are suitable for static analysis, and use well-established static analysis platforms for Java to write checkers for suitable rules.

Automated validation will increase confidence that apps deployed on mobile devices adhere to the security requirements of both the mobile devices and the networks with which they interact. It will also reduce the time lag between development and deployment, moving the apps faster into the field where they are needed.